Switch review workflows to submit_pull_request_review

[strawgate]

Summary

• Replace add-comment with submit-pull-request-review in security-review, pr-nitpick-reviewer, and grumpy-reviewer workflows
• Inline review comments are now bundled into a formal PR review (APPROVE/REQUEST_CHANGES/COMMENT) instead of posted as standalone comments
• Minimal prompt changes — only the output type references were updated, not the review guidance

Fixes #15817

---

---

✨ PR Review Safe Output Test - Run 22027158383

💥 [THE END] — Illustrated by Smoke Claude

[Copilot]

Pull request overview

Updates the three review-agent workflows to consolidate feedback into a single submitted PR review (with inline review comments bundled) rather than posting standalone PR comments, aligning with the “submit PR review” flow requested in #15817.

Changes:

• Replace add-comment safe output with submit-pull-request-review in security-review, pr-nitpick-reviewer, and grumpy-reviewer.
• Regenerate the corresponding compiled .lock.yml workflows to reflect the new safe-output tool and updated permissions.
• Update the agent prompts to refer to submit_pull_request_review as the summary/overall feedback mechanism.

Reviewed changes

Copilot reviewed 6 out of 6 changed files in this pull request and generated 1 comment.

Show a summary per file

File	Description
.github/workflows/security-review.md	Switches summary output guidance from comment posting to submitting a PR review.
.github/workflows/security-review.lock.yml	Regenerates safe-outputs config/tool schema to include submit_pull_request_review and drops add_comment; adjusts permissions accordingly.
.github/workflows/pr-nitpick-reviewer.md	Switches “general observations” guidance to submit_pull_request_review instead of add-comment.
.github/workflows/pr-nitpick-reviewer.lock.yml	Regenerates safe-outputs config/tool schema to include submit_pull_request_review and drops add_comment.
.github/workflows/grumpy-reviewer.md	Adds a dedicated “Submit the Review” step using submit_pull_request_review.
.github/workflows/grumpy-reviewer.lock.yml	Regenerates safe-outputs config/tool schema to include submit_pull_request_review and drops add_comment; adjusts permissions accordingly.

Comments suppressed due to low confidence (4)

.github/workflows/grumpy-reviewer.lock.yml:269

• The create_pull_request_review_comment tool description still recommends using add_comment for general PR feedback, but this workflow’s safe-outputs config no longer includes add_comment. This inconsistency can lead the agent to emit an unsupported output type; update the description to point to submit_pull_request_review (or re-enable add-comment in safe-outputs if that’s still intended).

            {
              "description": "Create a review comment on a specific line of code in a pull request. Use this for inline code review feedback, suggestions, or questions about specific code changes. For general PR comments not tied to specific lines, use add_comment instead. CONSTRAINTS: Maximum 5 review comment(s) can be created. Comments will be on the RIGHT side of the diff.",
              "inputSchema": {
                "additionalProperties": false,

.github/workflows/pr-nitpick-reviewer.lock.yml:308

• The create_pull_request_review_comment tool description still recommends using add_comment for general PR feedback, but this workflow’s safe-outputs config no longer includes add_comment. This inconsistency can lead the agent to emit an unsupported output type; update the description to point to submit_pull_request_review (or re-enable add-comment in safe-outputs if that’s still intended).

            {
              "description": "Create a review comment on a specific line of code in a pull request. Use this for inline code review feedback, suggestions, or questions about specific code changes. For general PR comments not tied to specific lines, use add_comment instead. CONSTRAINTS: Maximum 10 review comment(s) can be created. Comments will be on the RIGHT side of the diff.",
              "inputSchema": {
                "additionalProperties": false,

.github/workflows/security-review.md:184

• submit_pull_request_review defaults to event: COMMENT if event is omitted. If this workflow is expected to formally approve or request changes based on severity, Step 5 should instruct when to use APPROVE vs REQUEST_CHANGES (and to include the chosen event in the submission) so the review outcome isn’t always a comment-only review.

### Step 5: Submit the Review

Submit a review using `submit_pull_request_review` with:
- Total number of security concerns by severity
- Overview of boundaries affected
- Recommendations for the PR author
- Whether the changes require additional security review

.github/workflows/security-review.lock.yml:326

• The create_pull_request_review_comment tool description still recommends using add_comment for general PR feedback, but this workflow’s safe-outputs config no longer includes add_comment. This inconsistency can lead the agent to emit an unsupported output type; update the description to point to submit_pull_request_review (or re-enable add-comment in safe-outputs if that’s still intended).

            {
              "description": "Create a review comment on a specific line of code in a pull request. Use this for inline code review feedback, suggestions, or questions about specific code changes. For general PR comments not tied to specific lines, use add_comment instead. CONSTRAINTS: Maximum 10 review comment(s) can be created. Comments will be on the RIGHT side of the diff.",
              "inputSchema": {
                "additionalProperties": false,

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[github-actions]

PR titles: Fix awf logs command failure when binary not installed | Set lockdown: false on daily-syntax-error-quality workflow
GitHub MCP: ✅
Serena MCP: ✅
Playwright: ✅
File write: ✅
Bash cat: ✅
Build: ✅
Overall: PASS

AI generated by Smoke Codex